Skip to content

Instantly share code, notes, and snippets.

@gabonator
Created November 26, 2017 20:05
Show Gist options
  • Save gabonator/2c8885127cf6e0954c24e5d698ff99b6 to your computer and use it in GitHub Desktop.
Save gabonator/2c8885127cf6e0954c24e5d698ff99b6 to your computer and use it in GitHub Desktop.
ABcom satellite settop box protocol reverse engineering
/*
reverse engineering of ABcom Cryptobox 600HD mini dvbs box protocol
Firstly I examined android package (since it was easier to get it) "g-mscreen-2-3-11.apk". It
uses C++ library for implementing control protocol. Then I was trying to capture UPnP communication
from iphone connected to OSX running wireshark. But without luck. GMScreen allowed to connection
to box using ip address and port. This traffic was easier to caputre and analyse. Requests by
client application are human readable json/xml code. Some response packets are compressed using
zlib.
nm -D -C libdvbtoip.so | grep DVB
0000f0a0 T DVBtoIP::initialize()
0006cf10 B DVBtoIP::_serverList
0006cf0c B DVBtoIP::_clientHandle
0000f838 T DVBtoIP::getChannelURL(char const*)
0000f678 T DVBtoIP::getServerList(bool)
000103f4 T DVBtoIP::getChannelList(char const*, bool)
0000f0a8 T DVBtoIP::getChannelUserKey(char const*)
00010210 T DVBtoIP::updateChannelList(char*)
0000f1dc T DVBtoIP::initResourceForPlayer(int, char const*, int, int)
0000fc60 T DVBtoIP::upnpClientEventCallback(Upnp_EventType_e, void*, void*)
0000f49c T DVBtoIP::destroyResourceForPlayer()
0000fff8 T DVBtoIP::updateChannelListParseBuffer(char*, int*, std::map.....)
0000f0a4 T DVBtoIP::cleanup()
0006cf28 B DVBtoIP::_isInit
0000f1b4 T DVBtoIP::setSeed(int)
0000f790 T DVBtoIP::DVBtoIP()
0000f790 T DVBtoIP::DVBtoIP()
0000f5d4 T DVBtoIP::~DVBtoIP()
0000f590 T DVBtoIP::~DVBtoIP()
0000f590 T DVBtoIP::~DVBtoIP()
*/
var net = require('net');
const zlib = require('zlib');
const decompress = (buffer, handler) => zlib.unzip(buffer, {}, (err, buffer) => {err || handler(buffer.toString()); });
const alibuffer = (buffer) => "Start" + ("0000000" + buffer.length).substr(-7) + "End" + buffer;
const alijson = (json) => alibuffer(JSON.stringify(json));
satbox = new net.Socket();
satbox.connect(20000, "192.168.1.77", () =>
{
console.log('Satellite box connected');
satbox.write(alibuffer("<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><Command request=\"998\" />"));
//satbox.write(alijson({request:"22"})); // list of satellites
//satbox.write(alijson({request:"14"})); // ProductName, SoftwareVersion, MaxNumOfPrograms, cur_channel_list_type...
//satbox.write(alijson({request:"15"})); // StbStatus, ProductName, SoftwareVersion
//satbox.write(alijson({request:"4"})); // no response
satbox.write(alijson({request:"24"})); // unknown binary response
//satbox.write(alijson({request:"0",FromIndex:"0",ToIndex:"10"})); // "ServiceID":"00010013405044", "ServiceName":"Markiza HD"
//satbox.write(alijson({"request":"1009","TvState":"0","ProgramId":"00010012413208"})); // streaming request?
//satbox.write(alijson({"request":"1040","array":[{"KeyValue":"1"}]})); // key up
//satbox.write(alijson({"request":"1040","array":[{"KeyValue":"2"}]})); // key down
});
satbox.on('close', () => console.log('Connection closed'));
satbox.on('data', (data) =>
{
if (data[0] == 0x5b && data[1] == 0x5b)
console.log(data); // unknown encoding
else if (data[0] == 0x78 && data[1] == 0x9c) // gzip
decompress(data, (decompressed) => console.log(decompressed));
else if (data.length == 16 && data.toString().substr(0, 4) == "GCDH")
{} // ack header before data
else
console.log(data);
});
/*
[{
"StbStatus": 1,
"ProductName": "600HD Mini",
"SoftwareVersion": "1.09.17769_patch",
"SerialNumber": "170428042664",
"ChannelNum": 281,
"MaxNumOfPrograms": 6100
}]
*/
@Amadeus23000
Copy link

Amadeus23000 commented Dec 6, 2020

Hello @gabonator and thank you so much for The script, it works great!
I only have a few things to add as I have been fiddling with your script for the last 2 months or so (still am)
I had no idea this was still active otherwise I would have contributed a long time ago

So anyway Here's my notes and my whole experience with it, I hope it benefits some of you.

1 - Modify your IP address in the script to the one of your STB (preferably make it a static IP address from the WIFI settings on your STB so you don't have to keep changing the script so often)

2 - Check how many channels your STB has and add lines as much as you need to, in the part of the script shown below.
Otherwise if you ask for channel(prognumber) 1000 and you only have lines up to 999 in your script, it will fail to find the channel and you will instead end up getting "Channel not found"
Note that it's okay to add lines more than you STB actually has, but the more you add the longer it will take to load

  .then( (resp) => maxChannels = resp[0].ChannelNum )
  .then( () => AliTv.requestChannelRange(0, 99) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(100, 199) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(200, 299) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(300, 399) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(400, 499) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(500, 599) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(600, 699) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(700, 799) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(800, 899) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(900, 999) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(1000, 1099) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv._channels);

3 - Remove these 3 lines as they appear to actually stop the stream from starting

//.then( (current) => AliTv.getStreamUrl("DAJTO HD") )
.then( (current) => AliTv.getStreamUrl("TA3 HD") )
//.then( (current) => AliTv.getStreamUrl("Markiza HD") )

I was stuck here for almost 2 weeks trying different request numbers, modifying the script, before finally realizing that I only had to delete these 3 lousy lines in order to get a working stream, I hope you can update your script.

4 - the line: " // watch "rtp://@:5114" in vlc " doesn't seem to work for some reason, I've tried installing both 32bits and 64bits versions of VLC and still nothing, I realize it's probably fairly easy to fix it but I have no expertise in any kind of programming so I couldn't do anything about it.

You have to open the stream in VLC yourself. You can also use your IP address instead of the "@" in case you're using another player that doesn't understand that format

5 - the app and the script supports STBs that have the following chipsets:
(It's not mentioned anywhere in the app's info so I thought I'd mention it here)

ALI_3329
ALI_3510E
ALI_3511
ALI_3516
ALI_3526
ALI_3601
ALI_3606
ALI_3616
ALI_3618
ALI_3821
BCM
GPRS_6500
GX3200
GX6601
GX6601E
GX6622
G_CARD
HAISI
HD7101
HISI3712
HISI3719
HISI3796
MSD7819
MSD7821
MSTAR
NT78326
SUNPLUS
SUNPLUS
TCS131
TCS188
TRIDENT_8471

But there could be more platforms supported as this is taken from the decompiled "G-MScreen 2.3.11.apk" dating back to 2016 or possibly earlier
The G-mscreen app was also named Big2small, and AB CryptoDroid at some point

6 - I also found out that the Sat2ip server integrated in the ALi chipsets that support G-mscreen is based on the feng streaming server
https://github.com/lscube/feng

@Amadeus23000
Copy link

Btw I'm talking about AlifengStb Script and not this one

@Amadeus23000
Copy link

Amadeus23000 commented Dec 7, 2020

As for the scrambled channels part (which is what I've been looking into the most) here's what I've gathered so far:

Scrambled channels seem to not work with the script but they work just fine with the app so there has to be something missing in the script.
So I started trying different things and doing a lot of wireshark capturing and analyzing (even though I'm not an expert)
From my observations I noticed the following:

The script is able to send the stream successfully to the unicast address but it's encrypted and can't be read by VLC or any of the other players whether it be on windows, linux or android (believe me! I've tried them all, with the exception of FFmpeg )
VLC can't even tell that it's a stream, only wireshark detects it as "scrambled ts payload"
I'm guessing Pat/Pmt headers (or SID i'm not quite sure) are being sent encrypted too so that's why it wasn't recognized by VLC as a valid stream
I know this after capturing the stream and extracting it from Wireshark as udp raw then analyzing it with TS-Doctor.

However,
If you remove this line from the script:

 "camode=" + channelModel.Scramble + "&" + 
// "camode=0" + "&" + from the script 

You will receive the stream as it is, without any encryption or decryption from the server's part (STB)
And you'll be able to open it with VLC, with no output but you will be able to read media/codec info of the stream

Node Ali.js log:

Start0000051End{"request":"0","FromIndex":"4300","ToIndex":"4399"}
done
Start0000051End{"request":"0","FromIndex":"4400","ToIndex":"4499"}
done
Start0000015End{"request":"3"}
done
Sky Sport 1 HD
Start0000016End{"request":"24"}
done
< SETUP rtsp://192.168.1.20:554/?alisatid=1&freq=11914&pol=h&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=27500&fec=1&vpid=767&apid=770&ttxpid=32&subtpid=0&pmt=98&prognumber=0129&pids=767,770,32,0,98& RTSP/1.0
< Transport: RTP/AVP/UDP;unicast;client_port=5114-5115
< CSeq: 1
< User-Agent: VLC/3.0.10 LibVLC/3.0.10

Connection closed

RTSP/1.0 200 OK
CSeq: 1
Server: ALi feng/2.1.0_rc1
com.ses.streamID: 2
Transport: RTP/AVP;unicast;source=192.168.1.20;client_port=5114-5115;server_port=5004-5005;ssrc=8DCA9850
Session: 9830880ecba02e68
Date: Week 4, 1 Mon0 0070 00:07:50 GMT

< PLAY rtsp://192.168.1.20:554/stream=2 RTSP/1.0
< CSeq: 2
< Session: 9830880ecba02e68
< User-Agent: VLC/3.0.10 LibVLC/3.0.10

RTSP/1.0 200 OK
CSeq: 2
Server: ALi feng/2.1.0_rc1
Session: 9830880ecba02e68
Range: npt=0-
RTP-Info: url=rtsp://192.168.1.20:554/stream=2;seq=46208;rtptime=2337488423
Date: Week 4, 1 Mon0 0070 00:07:50 GMT

This is what I get on VLC when playing the stream URL
Tested with: Sky Sport 1 HD on Astra 19.2°E

"
Current Media Information: (Codec tab)

Information about what your media or stream is made of.
Muxer, Audio and Video Codecs, Subtitles are shown.

  • Program 129
    Scrambled: Yes

  • Stream 0
    Original ID: 32
    Codec: Teletext (telx)
    Language: German
    Description: Teletext
    Type: Subtitle

  • Stream 1
    Codec: Teletext (telx)
    Language: German
    Description: Teletext: additional information
    Type: Subtitle

  • Stream 2
    Original ID: 767
    Codec: H264 - MPEG-4 AVC (part 10) (h264)
    Type: Video
    Orientation: Top left

  • Stream 3
    Original ID: 770
    Codec: A52 Audio (aka AC3) (252)
    Language: qae
    Description: clean effects
    Type: Audio

  • Stream 4
    Original ID: 772
    Codec: A52 Audio (aka AC3) (52)
    Language: qaf
    Description: clean effects
    Type: Audio

"

I then then moved on to testing with a different channel, a more basic one that has simple BISS scrambling.

I found that you could actually decrypt it easily with VLC by adding this line in edit options ":ts-csa-ck=1100001100000000" with 1100001100000000 being the BISS key for that channel that I already knew in advance.
So here VLC acted as a descrambler, and It descrambled the transport stream on the client side (PC) instead of server side (STB)

To clarify more, there seems to be two lines to be used here:
one for odd CSA encryption key ":ts-csa-ck="
and one for even CSA encryption key ":ts-csa2-ck="
I'm still not quite sure how to fully take advantage of this feature but I'm guessing it only works with simpler scrambling methods that only requires you a 16 char key like BISS or CW.
So I hope this helps some of you.

But it would be really awesome if someone could make a plugin/extension for VLC or for any other user friendly player that descrambles the transport stream using CCcam or OSCam server or any of the other Cams
There are already many plugins out there that do exactly that, namely HADU, HDVB, Acamd, NWemu and Flycccam
Found here: (https://skystar-2.com/dvb-plugins.htm)
but they were only intended for use with DVBCore based applications like ProgDVB.

I believe Tsdecrypt on Linux can do that too (https://github.com/gfto/tsdecrypt) but I found it not very user friendly and couldn't get it to work as I'm not that familiar with Linux. (more testing to be done in the future)
it basically reads from a UDP or RTP source and then decrypt it using keys retrieved from an OSCam server
DVBlast (https://github.com/gfto/dvblast) can apparently do that too, but it's even way more complicated to get it to work

As for Wireshark, it still shows it as "Scrambled TS payload" for both streams with the Camode line and without it.
Even when capturing packets while using the app itself (Androidx86+Wicap) you can see it's playing a scrambled channel just fine on G-mscreen but still shows the same request being sent to the server in the pcap dump, I just couldn't spot the difference
But I must admit I'm not that familiar with packet analyzing tools, rather just casual use, so eventually I was stuck here and hit a dead end.
I can upload both pcap files if you want to analyze them yourself, may be using tcpdump can give you more insight?

So right now I'm still trying to figure out how the app can play the stream and VLC can't, when they both send the exact same request (OPTIONS, DESCRIBE, SETUP, PLAY, TEARDOWN) to the server

My best guess is that there is some sort of shared key or password shared between the app (client) and the server (STB) which is used to encrypt the stream server side then decrypt it client side on the app

But I also read somewhere in rtsp documentation or sat>ip I don't remember very well, that the encryption key (if there is one) will not be sent in plain text in the transport stream so there's that to think about too.

My other guess is that if there is such a key, the only way you could find it is either by further reverse engineering the app (may be newer versions of it?) + further analyzing the packets sent in a TS stream for a BISS scrambled channel (for easy reading) that you already have the key for.
Or, in the case that it's a unique key for every STB we're looking for, then we'll have to dig even deeper and find it somewhere in the firmware dump (or may be just in the STB settings)

Mind that these are all merely suggestions and remarks, and I don't actually know how to do any of the above :p

I've done many testing on windows, Linux and android, which i will try to summarize more later
like installing PrimeOS and then capturing the packets with Wicap-Sniffer-Pro (which exports to pcap) while G-mscreen is playing the scrambled channel
But still Wireshark only sees "scrambled ts payload"

I even found a way to use G-mscreen with the iPad while capturing with Wireshark on pc
it's fairly easy to get it to work, I expected it to be a lot harder to pull off tbh.
Here's how:
Just use this very simple app called MyPublicWiFi (https://mypublicwifi.com/publicwifi/en/index.html), you don't need a second WIFI dongle just set up a hotspot with network option:(internet connection sharing), start hotspot, connect your iOS device to the hotspot, launch and login with G-mscreen using the IP address of your STB as it won't detect anything, fire up Wireshark and you're good to go.
You'll find that wireshark is capturing the data sent by your iOS device to the STB. And hopefully it will give you more insight.

Hopefully we can get somewhere with this.

@Delitants
Copy link

Delitants commented Dec 7, 2020

Amadeus23000

Look, I used to be able to play paid channel over the script a year ago or so, I just don't remember how I did it. So yes it is possible. I'm just not seeing any kind of UDP traffic sent at all. Messing with camode line doesn't really help.
Regarding what you are saying, that's not going to play in VLC is wrong, because you need to tune your primary receiver with proper CAM inserted on the the same channel. Of course you will not be able to play anything else. Duh!

@Amadeus23000
Copy link

Neolo

Could you elaborate more? was it the same script? and which part of the script did you modify exactly
I can see UDP packets just fine in both FTA and Scrambled channels with or without the camode line
Could it have just been an older software version of your STB that made it possible? when was the last time you updated your STB?

@Delitants
Copy link

Delitants commented Dec 8, 2020

I’f I’d knew what I did a year ago, I wouldn’t write here now. Script is ali.js (the new one)
It’s 750HD and firmware is the same I had before. Could be otherwise, too new.
Script gives no udp output. Firewall is disabled. App within the same network works just file.
I’m going to decompile the app in ghidra and see if there is any useful information can be read.

@Amadeus23000
Copy link

Amadeus23000 commented Dec 8, 2020

You should first try Nox player+Gmscreen (or any other decent Android emulator) install and launch the app, login to your STB using the IP address, play a FTA channel, it won't actually play but the packets will flow, keep monitoring with Wireshark because you may have to try this a couple times before you get a working stream, fire up rtp://@:10022 on VLC and you should get a picture.

This way you can tell the source of you problem if it's coming from the script, or from your pc/router configurations
Or may be even the STB itself? if you're still not getting any working stream or UDP packets at all, I would reset to factory settings just in case.

@Delitants
Copy link

I can sniff packets on the router, but it's not really helpful, same RTP stuff.

@Amadeus23000
Copy link

Can you watch FTA channels with the script just fine? or your problem is just with scrambled?

@Amadeus23000
Copy link

Amadeus23000 commented Dec 8, 2020

`
node ali.js
Start0000016End{"request":"15"}
done
Start0000046End{"request":"0","FromIndex":"0","ToIndex":"99"}
done
Start0000049End{"request":"0","FromIndex":"100","ToIndex":"199"}
done
Start0000049End{"request":"0","FromIndex":"280","ToIndex":"360"}
done
Start0000015End{"request":"3"}
done
M9 HD
Start0000016End{"request":"24"}
done
Start0000016End{"request":"24"}
done
< SETUP rtsp://192.168.1.8:554/?alisatid=10&freq=12149&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=27500&fec=4&camode=1&vpid=2202&apid=2203&ttxpid=8191&subtpid=0&pmt=2201&prognumber=2200&pids=2202,2203,8191,0,2201& RTSP/1.0
< Transport: RTP/AVP/UDP;unicast;client_port=5114-5115
< CSeq: 1
< User-Agent: Lavf57.52.100

You can also try to start the stream with the RTSP URL of your channel on VLC
rtsp://192.168.1.8:554/?alisatid=10&freq=12149&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=27500&fec=4&camode=1&vpid=2202&apid=2203&ttxpid=8191&subtpid=0&pmt=2201&prognumber=2200&pids=2202,2203,8191,0,2201&

VLC can actually start the stream and keep it alive (for a while) and it would send the same (OPTIONS, DESCRIBE, SETUP, PLAY, TEARDOWN) to the server just like it would with the script
But for some reason VLC sends a teardown request after only 41 seconds

@Amadeus23000
Copy link

@gabonator , @Neolo

Any luck getting paid channels to work? Is there any hope at all?!

@Delitants
Copy link

I will mess with it tomorrow.

@Delitants
Copy link

yeah, this script is bad, it plays nothing but clear channels, but MGScreen plays everything

@lbenz
Copy link

lbenz commented Dec 13, 2020

yeah, this script is bad, it plays nothing but clear channels, but MGScreen plays everything

So rewrite this script with scrambled channel decrypter, code it guy. You should be aware, you have to reverse apk app to understand application put breakpoint into assembly code (lol), do you even know DVB API an its whole complexity, could you decrypt udp packet byte per byte, i'm sure you didn't know zlib compression was used between gmscreen communication and stb.
This script make all i have say before and more. So don't say this script is bad.

@Delitants
Copy link

Delitants commented Dec 13, 2020

Yeah? Then what was the problem to enable scrambled ch playback? Nowadays there is no FTA left on any sat, making script useless. What, legal issues? Seems MGscreen doesn't have any.

@Amadeus23000
Copy link

Amadeus23000 commented Dec 16, 2020

I think it could be missing these strings:

public static final String G_MS_BROADCAST_INFO_MAGIC_CODE = "39WwijOog54a";
public static final int G_MS_BROADCAST_INFO_MAGIC_CODE_LEN = 12;

Alongside "GCDH"

@Delitants
Copy link

I think it could be missing these strings:

public static final String G_MS_BROADCAST_INFO_MAGIC_CODE = "39WwijOog54a";
public static final int G_MS_BROADCAST_INFO_MAGIC_CODE_LEN = 12;

Alongside "GCDH"

Do you know how to put that in the script?

@Amadeus23000
Copy link

No, but I'm hoping the author would.

@MedDhiia
Copy link

MedDhiia commented Dec 27, 2020

done
[
  {
    StbStatus: 1,
    ProductName: 'SR-T50 SUPER',
    SoftwareVersion: '2.85',
    ChannelNum: 16,
    MaxNumOfPrograms: 7000
  }
]
Start0000016End{"request":"15"}
done
Start0000046End{"request":"0","FromIndex":"0","ToIndex":"99"}
done
Start0000049End{"request":"0","FromIndex":"100","ToIndex":"199"}
done
Start0000049End{"request":"0","FromIndex":"200","ToIndex":"280"}
done
[ { Command: '' }, { Command: '' }, { Command: '' } ]
Start0000015End{"request":"3"}
done

Request "0" is always empty i can't get the channels list ?

@Amadeus23000
Copy link

Try these steps:

2 - Check how many channels your STB has and add lines as much as you need to, in the part of the script shown below.
Otherwise if you ask for channel(prognumber) 1000 and you only have lines up to 999 in your script, it will fail to find the channel and you will instead end up getting "Channel not found"
Note that it's okay to add lines more than you STB actually has, but the more you add the longer it will take to load

  .then( (resp) => maxChannels = resp[0].ChannelNum )
  .then( () => AliTv.requestChannelRange(0, 99) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(100, 199) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(200, 299) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(300, 399) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(400, 499) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(500, 599) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(600, 699) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(700, 799) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(800, 899) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(900, 999) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(1000, 1099) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv._channels);

3 - Remove these 3 lines as they appear to actually stop the stream from starting

//.then( (current) => AliTv.getStreamUrl("DAJTO HD") )
.then( (current) => AliTv.getStreamUrl("TA3 HD") )
//.then( (current) => AliTv.getStreamUrl("Markiza HD") )

@lbenz
Copy link

lbenz commented Dec 27, 2020

done
[
  {
    StbStatus: 1,
    ProductName: 'SR-T50 SUPER',
    SoftwareVersion: '2.85',
    ChannelNum: 16,
    MaxNumOfPrograms: 7000
  }
]
Start0000016End{"request":"15"}
done
Start0000046End{"request":"0","FromIndex":"0","ToIndex":"99"}
done
Start0000049End{"request":"0","FromIndex":"100","ToIndex":"199"}
done
Start0000049End{"request":"0","FromIndex":"200","ToIndex":"280"}
done
[ { Command: '' }, { Command: '' }, { Command: '' } ]
Start0000015End{"request":"3"}
done

Request "0" is always empty i can't get the channels list ?

We have same problem, i already tried lots of requests to catch some channel, but without luck unfortunately.
It seems chipset GS21200GB is not fully compatible.

@MedDhiia
Copy link

Try these steps:

2 - Check how many channels your STB has and add lines as much as you need to, in the part of the script shown below.
Otherwise if you ask for channel(prognumber) 1000 and you only have lines up to 999 in your script, it will fail to find the channel and you will instead end up getting "Channel not found"
Note that it's okay to add lines more than you STB actually has, but the more you add the longer it will take to load

  .then( (resp) => maxChannels = resp[0].ChannelNum )
  .then( () => AliTv.requestChannelRange(0, 99) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(100, 199) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(200, 299) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(300, 399) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(400, 499) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(500, 599) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(600, 699) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(700, 799) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(800, 899) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(900, 999) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv.requestChannelRange(1000, 1099) )
  .then( (subChannels) => AliTv._channels = AliTv._channels.concat(subChannels) )
  .then( () => AliTv._channels);

3 - Remove these 3 lines as they appear to actually stop the stream from starting
//.then( (current) => AliTv.getStreamUrl("DAJTO HD") )
.then( (current) => AliTv.getStreamUrl("TA3 HD") )
//.then( (current) => AliTv.getStreamUrl("Markiza HD") )

Yes i did everything and i tried a lots of requests but there's no channels

@MedDhiia
Copy link

done
[
  {
    StbStatus: 1,
    ProductName: 'SR-T50 SUPER',
    SoftwareVersion: '2.85',
    ChannelNum: 16,
    MaxNumOfPrograms: 7000
  }
]
Start0000016End{"request":"15"}
done
Start0000046End{"request":"0","FromIndex":"0","ToIndex":"99"}
done
Start0000049End{"request":"0","FromIndex":"100","ToIndex":"199"}
done
Start0000049End{"request":"0","FromIndex":"200","ToIndex":"280"}
done
[ { Command: '' }, { Command: '' }, { Command: '' } ]
Start0000015End{"request":"3"}
done

Request "0" is always empty i can't get the channels list ?

We have same problem, i already tried lots of requests to catch some channel, but without luck unfortunately.
It seems chipset GS21200GB is not fully compatible.

Thanks for you response ... Me too i tried a lots of requests i got the TP list on 24 and the satilites lists on 23 i think even the signal strength but there no channels list ... If the problem is with the chipset then why we can found all of this and no channels lists it's kinda wired no ?

@lbenz
Copy link

lbenz commented Dec 28, 2020

No idea why, we could reverse engineering firmware's box through binwalk to find interested things. If you have access to RS232 interface you could go this way. An other interesting thing is I want to understand how funcam sharing works. Anyway, if i find solution i'll share here.

@rameres8
Copy link

rameres8 commented Mar 25, 2021

Please How to creat any script to decrypt firmware Ali3526
or how to creat any logiciel to unpack firmware Ali3526 from code of gabonator
how to build any script from code of gabonator

@elloza
Copy link

elloza commented May 8, 2021

Hello everyone!

I'm trying to use the script (ali.js) in order to view the rstp stream from a Qviart Mini but I have tried the SETUP URL in VLC with any luck...

Could @Amadeus23000 or someone with experience with this code point me in the right direction? What URL is the right one for play the stream in VLC?

I got this error in the VLC log:

live555 error: Failed to connect with rtsp://192.168.0.113:554/?alisatid=0&freq=10818&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=22000&fec=2&camode=1&vpid=167&apid=120&ttxpid=8191&subtpid=0&pmt=1038&prognumber=9967&pids=167,120,8191,0,1038&
satip error: Failed to play RTSP session

Thanks in advance!!

Start0000016End{"request":"15"}
done
[
  {
    StbStatus: 1,
    ProductName: 'QVIART MINI',
    SoftwareVersion: '1.20',
    SerialNumber: 'XXXX',
    ChannelNum: 196,
    MaxNumOfPrograms: 6100
  }
]


.........

< SETUP rtsp://192.168.0.113:554/?alisatid=0&freq=10818&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=22000&fec=2&camode=1&vpid=167&apid=120&ttxpid=8191&subtpid=0&pmt=1038&prognumber=9967&pids=167,120,8191,0,1038& RTSP/1.0
< Transport: RTP/AVP/UDP;unicast;client_port=5114-5115
< CSeq: 1
< User-Agent: Lavf57.52.100

Connection closed
> RTSP/1.0 200 OK
> CSeq: 1
> Server: ALi feng/2.1.0_rc1
> com.ses.streamID: 2
> Transport: RTP/AVP;unicast;source=192.168.0.113;client_port=5114-5115;server_port=5006-5007;ssrc=4483D70A
> Session: 42eb817a115a268e
> Date: Week 4, 1 Mon0 0070 00:11:20 GMT

@elloza
Copy link

elloza commented May 8, 2021

Hello again,

I have figured out how to play in VLC the SETUP URL (I was running the script and VLC at the same time and it seems that it's incompatible).

I was able to play 40 seconds selecting an FTA channel (The same behaviour that @Amadeus23000 described previously).

When I try to play the SETUP URL of a scrambled channel with VLC several warnings appear in the console log of VLC with logs at verbose level (2).

main debug: creating demux: access='rtsp' demux='any' location='192.168.0.113:554/?alisatid=0&freq=10906&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=22000&fec=2&camode=1&vpid=163&apid=98&ttxpid=8191&pmt=1027&prognumber=30004&pids=163,98,8191,1027&' file='\\192.168.0.113:554\'
main debug: looking for demux module matching "any": 55 candidates
main debug: looking for xml reader module matching "any": 1 candidates
main debug: using xml reader module "xml"
webvtt debug: subtitle demux discarded
ts debug: Standard set to Auto
main debug: using demux module "ts"
ts debug: DEMUX_SET_GROUP 0 00000000
main debug: looking for meta reader module matching "any": 2 candidates
lua debug: Trying Lua scripts in C:\Users\Loza\AppData\Roaming\vlc\lua\meta\reader
lua debug: Trying Lua scripts in C:\Program Files (x86)\VideoLAN\VLC\lua\meta\reader
lua debug: Trying Lua playlist script C:\Program Files (x86)\VideoLAN\VLC\lua\meta\reader\filename.luac
main debug: no meta reader modules matched
main debug: `rtsp://192.168.0.113:554/?alisatid=0&freq=10906&pol=v&msys=dvbs2&mtype=8psk&ro=0.35&plts=on&sr=22000&fec=2&camode=1&vpid=163&apid=98&ttxpid=8191&pmt=1027&prognumber=30004&pids=163,98,8191,1027&' successfully opened
ts debug: pid[163] unknown
ts debug: first packet for pid=163 cc=0x8
ts warning: scrambled state changed on pid 163 (0->1)
ts debug: pid[98] unknown
ts debug: first packet for pid=98 cc=0xc
ts warning: scrambled state changed on pid 98 (0->1)
ts debug: pid[1027] unknown
ts debug: first packet for pid=1027 cc=0x8
ts debug: pid[1863] unknown
satip warning: Gap in seq_nr (399 > 398), probably lost a packet
satip warning: Gap in seq_nr (451 > 450), probably lost a packet
satip warning: Gap in seq_nr (453 > 452), probably lost a packet
satip warning: Gap in seq_nr (456 > 455), probably lost a packet
satip warning: Gap in seq_nr (1338 > 1337), probably lost a packet
satip warning: Gap in seq_nr (1392 > 1390), probably lost a packet
satip warning: Gap in seq_nr (1735 > 1734), probably lost a packet
satip warning: Gap in seq_nr (1744 > 1740), probably lost a packet
satip warning: Gap in seq_nr (1753 > 1751), probably lost a packet
satip warning: Gap in seq_nr (1780 > 1779), probably lost a packet
satip warning: Gap in seq_nr (6773 > 6771), probably lost a packet
satip warning: Gap in seq_nr (6999 > 6998), probably lost a packet
satip warning: Gap in seq_nr (7246 > 7245), probably lost a packet
satip warning: Gap in seq_nr (7558 > 7554), probably lost a packet
satip warning: Gap in seq_nr (7640 > 7637), probably lost a packet
satip warning: Gap in seq_nr (7714 > 7712), probably lost a packet
satip warning: Gap in seq_nr (7721 > 7718), probably lost a packet
satip warning: Gap in seq_nr (7733 > 7732), probably lost a packet
satip warning: Gap in seq_nr (7735 > 7734), probably lost a packet
.....
satip warning: Gap in seq_nr (18231 > 18230), probably lost a packet
satip debug: timed out waiting for data...
ts debug: Can't read TS packet at 17459372
main debug: EOF reached
main debug: removing module "ts"
main debug: removing module "record"
main debug: removing module "cache_block"
main debug: removing module "satip"
satip error: Failed to teardown RTSP session
main debug: dead input
main debug: changing item without a request (current 2/3)
main debug: nothing to play
qt debug: IM: Deleting the input

I think it could be a misconfiguration of the VLC because after sniffing the transmitted data from the Android G-MScreen app, the requested URL is the same... (I'm sorry for my ignorance on this topic pretty new in this topic).

@Delitants
Copy link

Forget it, it won’t play scrambled channel. Didn’t you read the story above?

@mohammadhosin
Copy link

if your connection break after 41s
just you shoud send fake request with metod OPTION and same session every 30s.

@assiless
Copy link

assiless commented Oct 11, 2023

I generate various requests until 2000 for the moments, there is nothing interesting but i will continue to check. Anyway, thank you very much for your help and your works, i appreciate, if I get some good news I will share here 😉

@lbenz ,
you have gn-cx200 minihd platinum which have gx6605s the same chip in my stb starsat sr-4040hd vega
gx6605s it's quite popular this and this

i want to get the channel list and possibly set other channel as current

what i have tested (0..2000)
0 => empty
... => empty
14 => empty
15 => StbStatus, ProductName, SoftwareVersion, SerialNumber, ChannelNum, MaxNumOfPrograms
16 => empty
... => empty
18 => empty
19 => Data: "0"
20 => empty
21 => empty
22 => list of satellites
23 => Data: "0"
24 => list of tps
25 => empty
26 => JSON Parse error
27 => empty
... => empty
402 => take long and end without response
403 => strength, quality
404 => take long and end without response
... => empty
998 => Error: Invalid response packet
... => empty
1012 => JSON Parse error: Unexpected identifier "undefined"
... => empty
2000 => empty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment